[Bug 294833] LOCAL_PEERCRED does not return cr_pid in 32-bit compat mode
Date: Mon, 27 Apr 2026 22:27:28 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294833
Bug ID: 294833
Summary: LOCAL_PEERCRED does not return cr_pid in 32-bit compat
mode
Product: Base System
Version: 15.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: asomers@FreeBSD.org
Background
==========
The LOCAL_PEERCRED sockopt is supposed to return the credentials of the process
that owns the peer side of a connection-oriented unix domain socket. It
returns the peer's UID, GID, supplementary group list (up to 16), and pid.
Problem
=======
When the sockopt is fetched by a 32-bit process running on a 64-bit kernel, the
structure's size is defined differently for the process than it is for the
kernel. The kernel fails to check that, and populates the structure as if it
were the 64-bit version. The problem is the anonymous union in struct xucred
that contains a pointer. The userspace process thinks that the union is 4
bytes large, but the kernel things that it's 8-bytes large. As a result, the
kernel will always populate the cr_pid field with 0.
Steps to Reproduce
==================
Build and run the attached program on a 64-bit host:
$ cc -m32 -o LOCAL_PEERCRED -Wall LOCAL_PEERCRED.c
$ ./LOCAL_PEERCRED
sizeof(struct xucred)=0x50
My pid = 0x192c
cr_uid=1000 cr_gid=1000 cr_pid=0
0000: 0000 0000 03e8 0000 0008 0000 03e8 0000
0010: 0000 0000 0005 0000 000d 0000 002c 0000
0020: 0074 0000 01be 0000 03e8 0000 0000 0000
0030: 0000 0000 0000 0000 0000 0000 0000 0000
0040: 0000 0000 0000 0000 0000 0000 0000 0000
0050: 192c 0000 0000 0000 c952 2059 0001 0000
Note that the kernel returns the correct pid (0x192c), but it returns it at
offset 0x50, which is beyond the end of the xucred struct.
--
You are receiving this mail because:
You are the assignee for the bug.